Microsoft Hops On Two-Factor Authentication Bandwagon

← Back to Stories (view on slashdot.org)

Microsoft Hops On Two-Factor Authentication Bandwagon

Posted by Soulskill on Wednesday April 17, 2013 @08:56AM from the not-last-and-not-least dept.

itwbennett writes "Following similar initiatives by Apple, Google and Facebook, Microsoft is enabling two-factor authentication for its Microsoft Account service, the log-on service for many of its online and desktop products. Users will find instructions on how to add a second form of authentication on the Microsoft Account settings page. The chief form of secondary authentication will be a short code sent to the user's mobile phone, the number of which Microsoft will keep on file, each time the user logs on."

132 comments

Min score:

Reason:

Sort:

What does this mean? by Anonymous Coward · 2013-04-17 08:58 · Score: 5, Funny

Will I not be able to pirate Win8.1?
1. Re:What does this mean? by Anonymous Coward · 2013-04-17 10:50 · Score: 2, Insightful
  
  Who cares?
Does MS even understand Two Factor by Archangel+Michael · 2013-04-17 09:02 · Score: 0

I'm not sure Microsoft actually understands two factor authentication. The description (could be wrong, didn't read the article) doesn't sound like two factor authentication to me.

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
1. Re:Does MS even understand Two Factor by BradleyUffner · 2013-04-17 09:10 · Score: 5, Informative
  
  It is 2 factor authentication.
  The 3 authentication factors are:
  Something you Know.
  Something you Have.
  Something you Are.
  This meets 2 of those factors, a password (know), and your phone (have).
2. Re:Does MS even understand Two Factor by RightSaidFred99 · 2013-04-17 09:25 · Score: 3, Funny
  
  Yes. Microsoft, who hires thousands of the best developers including elite Ph.D researchers and pays them large sums of money doesn't know what two factor authentication is.
  You cracked the case, Murder She Wrote.
3. Re: Does MS even understand Two Factor by UnknowingFool · 2013-04-17 09:36 · Score: 3, Informative
  
  The article refers to it as "two-step" not two factor. The title and summary says it is two factor.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
4. Re: Does MS even understand Two Factor by FatdogHaiku · 2013-04-17 09:42 · Score: 1
  
  I don't want to log-on with a country dance...
  http://www.youtube.com/watch?v=asNHCGYb9AA
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
5. Re:Does MS even understand Two Factor by dmbasso · 2013-04-17 09:43 · Score: -1, Flamebait
  
  Nice, so it is a 3 factor authentication! The password, the phone, and if you are using Microsoft products, you are certainly _________. Feel free to fill the blank as you wish. :)
  
  --
  `echo $[0x853204FA81]|tr 0-9 ionbsdeaml`@gmail.com
6. Re: Does MS even understand Two Factor by bloodhawk · 2013-04-17 09:43 · Score: 1, Troll
  
  yep and pretty sure MS don't write the Slashdot summaries around here. The retarded monkeys that translate them into the clickbait that is acceptable here are kept in a cage in the far corner.
7. Re:Does MS even understand Two Factor by wonkey_monkey · 2013-04-17 09:59 · Score: 5, Funny
  
  It is 2 factor authentication.
  The 3 authentication factors are:
  Something you Know.
  Something you Have.
  Something you Are.
  And a fanatical devotion to the Pope- Four! Four authentication factors!
  
  --
  systemd is Roko's Basilisk.
8. Re:Does MS even understand Two Factor by DragonWriter · 2013-04-17 10:04 · Score: 2
  
  I'm not sure Microsoft actually understands two factor authentication. The description (could be wrong, didn't read the article) doesn't sound like two factor authentication to me.
  I suspect they understand what two-factor authentication is quite well, and that is the reason that their label for what they are doing is "two-step authentication", which is only confusingly similar to "two-factor authentication". They very carefully do not actually call it "two-factor authentication".
9. Re:Does MS even understand Two Factor by ericloewe · 2013-04-17 10:11 · Score: 4, Funny
  
  I certainly didn't expect a spanish inquisition joke.
10. Re:Does MS even understand Two Factor by Anonymous Coward · 2013-04-17 10:20 · Score: 0
  
  It's much more likely that you don't actually understand two factor authentication, and that Microsoft does. You know a password (one factor), you have a phone which receives the text message (second factor). Entering the code off the phone is not a "what you know," it's a "what you have" (the phone with the code). This is exactly how RSA SecureID works, except that the phone is receiving the token code from a central source instead of generating it based on a stored crypto seed.
11. Re:Does MS even understand Two Factor by Anonymous Coward · 2013-04-17 10:28 · Score: 0
  
  a normal human being.
12. Re:Does MS even understand Two Factor by mcneely.mike · 2013-04-17 11:11 · Score: -1
  
  Obligatory:
  
  No one expects a Spanish inquisition joke!
  
  --
  soylentnews.org Go there to enjoy the people!
13. Re:Does MS even understand Two Factor by Anonymous Coward · 2013-04-17 11:20 · Score: 1
  
  a normal privacy-free human being.
  FTFY.
14. Re:Does MS even understand Two Factor by node+3 · 2013-04-17 13:04 · Score: 3, Insightful
  
  You're thinking of Google.
  Microsoft is surprisingly good about privacy. I'm not sure if it's part of MS's culture, or a side-effect of their loss of market leadership. Either way, I find MS to be quite trustworthy with regards to privacy.
  MS can be fairly competent when they aren't a monopoly and can't bully others around.
15. Re:Does MS even understand Two Factor by Anonymous Coward · 2013-04-17 13:08 · Score: 0
  
  You're thinking of Google. Microsoft is surprisingly good about privacy.
  
  No, I'm not and no, they're not.
  Look past the "Scroogled" smear campaign astroturf and you'll see MS has a far worse record than Google, including cooperating with law enforcement in countries with poor human rights records.
16. Re:Does MS even understand Two Factor by Anonymous Coward · 2013-04-17 13:21 · Score: 0
  
  NOBODY expects the Spanish Inquisition! Our chief weapon is surprise!
17. Re:Does MS even understand Two Factor by node+3 · 2013-04-17 18:41 · Score: 1, Insightful
  
  "Scroogled" is just silly marketing. I'm talking about actual privacy. Google tracks and *STORES* everything you do on the internet that touches a Google server. MS does not. That's because that's Google's business model.
  And Google is caught, constantly, repeatedly, and without remorse, doing bad things with people's private data.
  But, no, MS follows the laws of other countries? OMYGOD! Guess what: Google does as well. They have to. It's (duh) the law.
18. Re:Does MS even understand Two Factor by Anonymous Coward · 2013-04-17 19:33 · Score: 0
  
  >But, no, MS follows the laws of other countries? OMYGOD! Guess what: Google does as well. They have to. It's (duh) the law.
  Surprisingly many on Slashdot seems to think that Corporations should be above the law.
19. Re:Does MS even understand Two Factor by Anonymous Coward · 2013-04-17 20:17 · Score: 0
  
  and honestly.. why do people want to blindly trust advertising companies anyway? They were supposed to be the ultimate scum on slashdot ... except when its about google.. then the shills come out.
20. Re:Does MS even understand Two Factor by node+3 · 2013-04-17 20:45 · Score: 1
  
  Because Google gives out geek toys and speaks nerd.
  Which would be wonderfully fantastic, if it wasn't a trojan horse.
21. Re:Does MS even understand Two Factor by tehcyder · 2013-04-17 23:27 · Score: 1
  
  Surprise and an almost fanatical...oh, we've already done that.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
22. Re:Does MS even understand Two Factor by Anonymous Coward · 2013-04-18 00:00 · Score: 0
  
  you crazy, take your meds. MS gives no where near the info that Google does. If you don't know this then there is no sense point out articles to you .......Google fanboy
23. Re:Does MS even understand Two Factor by Medievalist · 2013-04-18 03:25 · Score: 1
  
  And Google is caught, constantly, repeatedly, and without remorse, doing bad things with people's private data.
  Oh, now, that's simply not true. Google may not feel any remorse about what they've been caught doing, sure, but they clearly feel great remorse over being constantly and repeatedly caught.
Wait a minute... by Anonymous Coward · 2013-04-17 09:03 · Score: -1

This isn't really two-factor auth. If someone steal your phone, you are screwed.
1. Re:Wait a minute... by ButchDeLoria · 2013-04-17 09:05 · Score: 1
  
  Given that cell phones are as much a part of your everyday carry as a wallet and keys, you would be screwed anyway if someone stole your phone.
2. Re:Wait a minute... by BradleyUffner · 2013-04-17 09:07 · Score: 2
  
  This isn't really two-factor auth. If someone steal your phone, you are screwed.
  Something you Know (password).
  Something you Have (phone).
  Something you Are (doesn't do this yet).
  Sounds like it's meeting 2 different factors of authentication to me.
3. Re:Wait a minute... by Zero__Kelvin · 2013-04-17 09:10 · Score: 1
  
  Unless of course the phone is used to access the email with a stored password, which is the typical use case with phone email access.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
4. Re:Wait a minute... by BradleyUffner · 2013-04-17 09:13 · Score: 2
  
  Unless of course the phone is used to access the email with a stored password, which is the typical use case with phone email access.
  Unless the user doesn't store their password on the phone. Then it IS 2 factor. The user doing something by their choice doesn't negate the fact that this is 2 factor authentication if used "correctly".
5. Re:Wait a minute... by Anonymous Coward · 2013-04-17 09:23 · Score: 0
  
  This isn't really two-factor auth.
  Leaving aside that people often aren't clear on what "authentication" is, there isn't any good, hard definition of what constitutes a factor. Invariably the standard waffle is trotted out: "something you know", "something you have", or "something you are". It's very deceptive when you're trying to evaluate an authentication scheme as it handwaves away all the messy details.
  
  If someone steal your phone, you are screwed.
  Most of these schemes (at least Apple and Google) have you print out some recovery codes in case you lose your phone.
6. Re:Wait a minute... by Anonymous Coward · 2013-04-17 09:30 · Score: 1
  
  I still wouldn't mind so much here - the number of people that can access the account is restricted to exactly 1 since only one person can possess the phone at any given time. Unless someone wants to sit there and field passcodes to everyone that wants to hack the account, but this would be painfully slow.
  Besides the carrier would reissue the phone and disconnect the old one with good ID and it's fairly easy to prove that you're paying the phone bill anyway.
7. Re:Wait a minute... by Anonymous Coward · 2013-04-17 09:31 · Score: 0
  
  Maybe in your world but not in mine. Reception where I live sucks. Bandwidth is barely acceptable and a mobile is practically useless. I do not own one and while telcos continue to screw us and the governments charge exhorbitant fees for what is essentially nothing (go on - define spectrum) I'm waiting for something that provides me with ACTUAL value.
8. Re:Wait a minute... by ericloewe · 2013-04-17 09:37 · Score: 1
  
  Authorized computers don't need extra verification and they'll probably have the printable one-time-code pads, like google. Nothing keeps you from using any RFC 6238 passcode generator, like those on this list, on a second device (as you can see there's plenty to choose from) - it's just a matter of inserting the same code in all your generators.
9. Re:Wait a minute... by Anonymous Coward · 2013-04-17 10:09 · Score: 0
  
  Good for you.
10. Re:Wait a minute... by Anonymous Coward · 2013-04-17 10:14 · Score: 0
  
  Microsoft is using additional verification methods such as a short code sent to the user's mobile phone, which is then entered in addition to the password, or by asking the user to supply additional information, such as an alternative email address.
  Let's keep reading:
  
  As an alternative to security codes, Microsoft is providing a number of other forms of authentication as well. For smartphones, users can deploy an authenticator app. Microsoft has released an authenticator app for Windows Phones, and third-party authenticator apps can be used for other platforms. For those devices that do not directly support two-factor authentication, such as the Xbox, users can get a secondary password, one unique to each device.
  So, either you didn't read the article, or have the reading comprehension of a 5 year old.
11. Re:Wait a minute... by Anonymous Coward · 2013-04-17 12:50 · Score: 0
  
  but nobody does this
12. Re:Wait a minute... by tehcyder · 2013-04-17 23:35 · Score: 2
  
  Maybe in your world but not in mine. Reception where I live sucks. Bandwidth is barely acceptable and a mobile is practically useless. I do not own one and while telcos continue to screw us and the governments charge exhorbitant fees for what is essentially nothing (go on - define spectrum) I'm waiting for something that provides me with ACTUAL value.
  Yes, and the Amish don't watch porn on the internet.
  There are always exceptions to any rule when it comes to human beings.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
13. Re:Wait a minute... by Zero__Kelvin · 2013-04-18 00:06 · Score: 1
  
  First of all, you merely just repeated what I said with regard to specifying if the user does or does not store passwords. Now, here is a quiz for you. I already have my phone set up to remember my email address. Without deleting and recreating the account in the mail client, how do I tell it to forget the stored password? Furthermore, people keep their password stored on the phone for a reason. A good password is a royal pain in the ass to type in manually on a smartphone.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
14. Re:Wait a minute... by dacaldar · 2013-04-18 05:01 · Score: 1
  
  I'm not sure what is so hard to understand. You have a phone lock password, which stands in for the client memorized password, as the "something only you know".
  Unless you don't have a phone lock password, in which case you are explicitly stating that you don't give a shit about security at all...
15. Re:Wait a minute... by Zero__Kelvin · 2013-04-18 05:12 · Score: 1
  
  I guess you didn't read the GP post or the article summary. He wasn't talking about M$ providing one of the two factors and a third party offering the other, in which case it isn't Microsoft offering two factor auth now, is it? It is more like Microsoft relies on Google/Apple for second factor.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
16. Re:Wait a minute... by BradleyUffner · 2013-04-18 07:09 · Score: 1
  
  First of all, you merely just repeated what I said with regard to specifying if the user does or does not store passwords. Now, here is a quiz for you. I already have my phone set up to remember my email address. Without deleting and recreating the account in the mail client, how do I tell it to forget the stored password? Furthermore, people keep their password stored on the phone for a reason. A good password is a royal pain in the ass to type in manually on a smartphone.
  The first rule of good password use is that you don't write it down or store it anywhere. If you store your password on your phone then YOU are sacrificing some security in exchange for convenience. The exact same things happens if a user writes their password on the back of a physical SecuID token, yet those tokens are considered part of a 2 factor system. In any security system the users are the weakest part. Even 2-factor systems can be broken by the bad practices of the users.
17. Re:Wait a minute... by Zero__Kelvin · 2013-04-19 01:12 · Score: 1
  
  Your post has nothing to do with the actual conversation.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
18. Re:Wait a minute... by BradleyUffner · 2013-04-19 05:26 · Score: 1
  
  Your post has nothing to do with the actual conversation.
  Ok, please tell me which of the following statements are wrong and why.
  1. This system requires the user to enter a password.
  2 .This system can be configured to require the user to enter a code sent via SMS to the user's phone.
  3. A password is an authentication factor.
  4. Physical access to an object is an authentication factor.
  5. 1 + 1 = 2
19. Re:Wait a minute... by Zero__Kelvin · 2013-04-19 05:55 · Score: 1
  
  #5 is wrong. You used addition when you should have used multiplication. The system that requires the user to enter a password is the same as the system that the user must have. That is 1 system, not two. 5 Should read: 1 * 1 = 1
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
20. Re:Wait a minute... by BradleyUffner · 2013-04-19 06:08 · Score: 1
  
  #5 is wrong. You used addition when you should have used multiplication. The system that requires the user to enter a password is the same as the system that the user must have. That is 1 system, not two. 5 Should read: 1 * 1 = 1
  No it isn't. I don't store my microsoft password on my phone. My microsoft password exists only in my head, as properly used password should. Just because YOU CHOOSE to store your password on the same device as your token does not mean that it isn't 2-factor authentication. It sounds like you are using 2 factor authentication wrong, not microsoft.
21. Re:Wait a minute... by Zero__Kelvin · 2013-04-19 06:20 · Score: 1
  
  "YOU CHOOSE to store your password on the same device as your token"
  Are you some kind of moron? My phone isn't a token. That is the whole point. The standard use case is for passwords to be stored on the phone. Everyone does it, because one would be a moron not to do so. It would break the entire mobile email system. Hey, I'm about to do a 10 minute check to see if you have email now, please enter your password again! If you want a token you need a separate system. Good luck learning the basics of computer security, though!
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
22. Re:Wait a minute... by BradleyUffner · 2013-04-19 07:02 · Score: 1
  
  "YOU CHOOSE to store your password on the same device as your token"
  Are you some kind of moron? My phone isn't a token. That is the whole point. The standard use case is for passwords to be stored on the phone. Everyone does it, because one would be a moron not to do so. It would break the entire mobile email system. Hey, I'm about to do a 10 minute check to see if you have email now, please enter your password again! If you want a token you need a separate system. Good luck learning the basics of computer security, though!
  I see the problem now. You are assuming that everyone who has a microsoft account uses for email and checks it from their phone. I only use my microsoft account to access MSDN and MSN Messenger from my desktop, it isn't linked to any email or on my phone at all. In my case their solution works perfectly as 2 factor authentication as the phone is completely separate from the password.
23. Re:Wait a minute... by Zero__Kelvin · 2013-04-20 02:24 · Score: 1
  
  You have the issue inverted. The fact that people use their phone for email means Microsoft has to address that (most common) use case. Your corner case is exactly that. Most people use their smartphone for email. A solution that breaks functionality, especially functionality used by the majority, is not a solution.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
24. Re:Wait a minute... by BradleyUffner · 2013-04-20 05:03 · Score: 1
  
  The fact that my case exists at all and counts as 2 factor authentication means than microsoft has ACTUALLY created 2 factor authentication. How many people do you know who have microsoft email addresses? I'm betting that my type of usage isn't all that uncommon.
25. Re:Wait a minute... by Zero__Kelvin · 2013-04-20 07:12 · Score: 1
  
  ""With this release you can choose to protect your entire account with two-step verification, regardless of what service, or device, you are using with your Microsoft account," says Eric Doerr, a Microsoft group program manager. "It's your choice whether you want to enable this, but for those of you that are looking for ways to add additional security to your account, we've worked hard to make set-up really easy." "
  
  I didn't say they didn't implement it. It is merely that they have broken functionality. You get to choose between using it, and not having a partially broken system. It is a typical Microsoft "solution" in that regard, of course ;-)
  
  Now off you go ...
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Microsoft has accounts? by Animats · 2013-04-17 09:04 · Score: -1, Troll

Unless you're a Microsoft developer, what would anyone want a "Microsoft account" for? Hotmail?
1. Re:Microsoft has accounts? by Anonymous Coward · 2013-04-17 09:09 · Score: 3, Informative
  
  Unless you're a Microsoft developer, what would anyone want a "Microsoft account" for? Hotmail?
  windows live (PC gaming). Xbox gaming. Hotmail.
2. Re:Microsoft has accounts? by DogDude · 2013-04-17 09:26 · Score: 2
  
  I have one for downloading apps onto my Windows Phone.
  
  --
  I don't respond to AC's.
3. Re:Microsoft has accounts? by ArcadeMan · 2013-04-17 09:27 · Score: 0
  
  Steam, Battle.net, Gmail.
  No Microsoft in sight!
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
4. Re:Microsoft has accounts? by Anonymous Coward · 2013-04-17 09:27 · Score: 1
  
  Unless you're a [insert company name] developer, what would anyone want a "[insert company name] account" for?
5. Re:Microsoft has accounts? by tgd · 2013-04-17 09:34 · Score: 4, Informative
  
  Unless you're a Microsoft developer, what would anyone want a "Microsoft account" for? Hotmail?
  Skype, Hotmail, Live properties, Xbox Live, Messenger, Windows 8 users with linked accounts, Skydrive ...
  Microsoft has more individuals with accounts than anyone else, by far.
  You may not have one (although, even if you were 100% Linux, unless you've never used Skype, you do have one), but virtually every other person with a computer does.
6. Re:Microsoft has accounts? by tepples · 2013-04-17 09:39 · Score: 1
  
  windows live (PC gaming). Xbox gaming. Hotmail.
  Steam, Battle.net, Gmail.
  Both Steam (for Valve and those who publish through Valve) and Battle.net (for Blizzard) are primarily for games in mouse and keyboard genres, as I understand it. Other than Xbox Live, what service caters to gamepad gamers?
7. Re:Microsoft has accounts? by ericloewe · 2013-04-17 09:42 · Score: 1
  
  Hotmail/Outlook webmail, Xbox Live, Windows 8 sync features, SkyDrive, Office 365, Messenger/Skype, MSDN/Technet, online Microsoft store, and I'm sure there's a few more obscure things.
8. Re:Microsoft has accounts? by Anonymous Coward · 2013-04-17 10:13 · Score: 0
  
  windows live (PC gaming). Xbox gaming. Hotmail.
  Steam, Battle.net, Gmail.
  Both Steam (for Valve and those who publish through Valve) and Battle.net (for Blizzard) are primarily for games in mouse and keyboard genres, as I understand it. Other than Xbox Live, what service caters to gamepad gamers?
  Time to upgrade to a real control scheme then.
9. Re:Microsoft has accounts? by Anonymous Coward · 2013-04-17 10:26 · Score: -1
  
  are you a google developer? No? Great, gtfo gmail.
  So much stupidity today, and it's only Wednesday!
10. Re:Microsoft has accounts? by ArcadeMan · 2013-04-17 10:27 · Score: 1
  
  I wouldn't want to play Mega Man or Metroid with a keyboard and a mouse.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
11. Re:Microsoft has accounts? by Anonymous Coward · 2013-04-17 11:59 · Score: 0
  
  Mostly everything on the PC has controller support these days. Steam even lists "Full controller support" (when applicable) in a sidebar on the store page of every game along with things like "Single-Player, Multi-Player, Steam Achievements" etc.
  I don't think very many genres benefit from having controller support but if the game supports a controller on the xbox/ps3 then it probably does on the PC as well.
12. Re:Microsoft has accounts? by node+3 · 2013-04-17 13:07 · Score: 1
  
  Time to upgrade to a real control scheme then.
  Or, you know, not limit yourself out of silly fanboyism.
13. Re:Microsoft has accounts? by node+3 · 2013-04-17 13:09 · Score: 1
  
  I don't think you understand the question. He means, why would anyone want to use a product that he doesn't use?
  He doesn't use those things, ergo no one else should either. It's the Slashdot way.
14. Re:Microsoft has accounts? by tehcyder · 2013-04-17 23:38 · Score: 1
  
  *golfclap*
  Yes, I think we know that there are alternatives to Microsoft. The original question was why would you want to use a Microsoft account. It's self evident that it would be for Microsoft services.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
15. Re:Microsoft has accounts? by tehcyder · 2013-04-17 23:40 · Score: 1
  
  I have one for downloading apps onto my Windows Phone.
  I'm pretty sure that's illegal in slashdot-world.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
16. Re:Microsoft has accounts? by Anonymous Coward · 2013-04-18 02:50 · Score: 0
  
  wait, so only 100% linux users who never use skype don't have windows accounts? Are you sure about that? That would come as a shock to my wife... could you be so kind as to tell us what the account is? And the only reason *I* have a MS account is due to work (and there are still folks here who don't, I'm just in an unfortunate minority). And we are predominately windows here. Just no reason to have MS accounts. No need for skype. No need for hotmail (why? corporate email not good enough?), live properties (never heard that one, or is this a new name for passport, or hotmail, or whatever?), no need for xbox live without xbox (there aren't as many of these as you seem to think), or messenger, Win8 "linked accounts" tacitly admits that even Win8 isn't a microsoft account by itself without a serious stretch, and skydrive is another wannabe to a google service.
  I would be surprised if MS has more individual accounts by far than anyone else... say Google. More? Maybe. By far? That seems quite a stretch. Google has far more reach than MS as they don't limit themselves to windows users (yeah, after MS bought skype you can include those, but the rest of what you list is effectively "for windows users only" -- hotmail is a sad, sad joke.) But you can run Windows without ever creating a "microsoft" account.
  OTOH, Apple has a pretty clear share (albeit smaller) due to the relative necessity for an apple account to use an ipad/iphone. And of course google owns those with an android device -- and that /is/ a large number of folks.
17. Re:Microsoft has accounts? by Coren22 · 2013-04-18 03:00 · Score: 1
  
  Why not? How is the Wii-mote any different than a mouse? And the keys on the Wii-mote are pretty much like a keyboard. The newer editions of Metroid have you aiming by pointing the Wii-mote, this is not much different than any other FPS on the computer. It would be much easier to use a keyboard/mouse than the Wii controllers.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
18. Re:Microsoft has accounts? by ArcadeMan · 2013-04-18 06:06 · Score: 1
  
  I was obviously referring to Metroid and Super Metroid. Trying to play Metroid Prime with a gamepad like the ones on the PS3 or the Xbox360 would be a nightmare.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
You can have my own mobile number by Anonymous Coward · 2013-04-17 09:10 · Score: 0

when i can have Bills, Balmers, Larry, Sergei and the rest of the executives
maybe someone should start a website with this information, if you have nothing to hide..........
1. Re:You can have my own mobile number by BradleyUffner · 2013-04-17 09:17 · Score: 1
  
  when i can have Bills, Balmers, Larry, Sergei and the rest of the executives
  maybe someone should start a website with this information, if you have nothing to hide..........
  Go get a free Google Voice number that you only use to receive the text messages on.
2. Re:You can have my own mobile number by tepples · 2013-04-17 09:24 · Score: 1
  
  Go get a free Google Voice number that you only use to receive the text messages on.
  From the signup page:
  
  *Please note that Google Voice is only available in the US
  *You will be required to verify an existing US phone number to get a Google Voice number
  What alternative to Google Voice do you recommend for people outside the United States?
3. Re:You can have my own mobile number by thedonger · 2013-04-17 09:45 · Score: 1
  
  What alternative to Google Voice do you recommend for people outside the United States?
  Baidu Voice! But all calls are screened to make sure you only say nice things about the Chairman.
  
  --
  Help fight poverty: Punch a poor person.
4. Re:You can have my own mobile number by wonkey_monkey · 2013-04-17 10:00 · Score: 1
  
  Quite right too. Lovely chap.
  
  --
  systemd is Roko's Basilisk.
5. Re:You can have my own mobile number by Medievalist · 2013-04-18 04:00 · Score: 1
  
  William Shatner? Or the Japanese guy?
privacy ? by roscocoltran · 2013-04-17 09:23 · Score: 0

I'm not sure that I want to give Microsoft my phone number. I switched to outlook.com from Google because of privacy concerns (If you know a better free solution then feel free to share the info btw) and it's not to give away an information like a real phone number.
1. Re:privacy ? by postbigbang · 2013-04-17 09:27 · Score: 1
  
  Google added the USB-dongle called the YubiKey, which is "something you have" that can squirt a code for a second factor. I prefer not using my phone number either. There are other OpenID solutions possible as well-- that are datum-based, rather then some other ID field that ought not to be distributed.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
2. Re:privacy ? by Nerdfest · 2013-04-17 11:42 · Score: 1
  
  Google also has the "Google Authenticator", which DropBox also uses. It's free, open-source, and multi-platform. It would have been nice if they had it as an option, as it works quite well (nice for SSH as well).
3. Re:privacy ? by Anonymous Coward · 2013-04-17 16:33 · Score: 0
  
  And unknown to many Microsoft-bashing people here, Google Authenticator also works with Microsoft accounts (and vice-versa)!
  http://arstechnica.com/security/2013/04/microsoft-rolls-out-standards-compliant-two-factor-authentication/
4. Re:privacy ? by WolfgangPG · 2013-04-18 00:29 · Score: 1
  
  You can use Google's authenticator app or Microsoft's authenticator app. This was a typical poorly written summary on Slashdot. Anything MS does that is remotely positive was be half reported or not reported at all. http://arstechnica.com/security/2013/04/microsoft-rolls-out-standards-compliant-two-factor-authentication/
Two-step *NOT* Two-factor by DragonWriter · 2013-04-17 09:24 · Score: 3, Informative

The new option Microsoft authentication approach, as they describe it, is "two-step authentication", not "two-factor authentication". And, while the correct choice among the options they provide might make it two-factor authentication, they don't seem to focus on that in any particular way.
Two-factor authentication is "something you have and something you know" (commonly, the something you know is a password, the something you have is a device generating comfirmation codes.) The options for the second step in authentication (password is the required first step for Microsoft accounts) include a code sent to an email address on file, making it "something you know" (your Microsoft account password" plus "something else you know" (the password to alternative email.)
(Plus, since its sent through regular plaintext email if you are using that option, the second "step", in that case, relies on you supplying back information that Microsoft sends you over a completely insecure channel.)
I understand the *convenience* offered by the alternative to actual two-factor authentication here, but I don't understand why this is done since the convenience in "two-step" authentication that allows you to choose for it not to be two-factor authentication defeats the entire purpose of not using simple one-factor authentication.
1. Re: Two-step *NOT* Two-factor by UnknowingFool · 2013-04-17 09:33 · Score: 1
  
  Indeed. At best this is pseudo two factor. At work we have RSA tokens for the second factor. If someone stole a user's token, they still need to know the user's username/password to get in.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
2. Re:Two-step *NOT* Two-factor by BradleyUffner · 2013-04-17 09:41 · Score: 1
  
  The new option Microsoft authentication approach, as they describe it, is "two-step authentication", not "two-factor authentication". And, while the correct choice among the options they provide might make it two-factor authentication, they don't seem to focus on that in any particular way.
  Two-factor authentication is "something you have and something you know" (commonly, the something you know is a password, the something you have is a device generating comfirmation codes.) The options for the second step in authentication (password is the required first step for Microsoft accounts) include a code sent to an email address on file, making it "something you know" (your Microsoft account password" plus "something else you know" (the password to alternative email.)
  (Plus, since its sent through regular plaintext email if you are using that option, the second "step", in that case, relies on you supplying back information that Microsoft sends you over a completely insecure channel.)
  I understand the *convenience* offered by the alternative to actual two-factor authentication here, but I don't understand why this is done since the convenience in "two-step" authentication that allows you to choose for it not to be two-factor authentication defeats the entire purpose of not using simple one-factor authentication.
  According to the article the message is sent to your phone via Text Message, NOT email. This means you have to physically have access to the phone to receive the message. Combine this with your password and that sure seems like 2 factors to me.
3. Re:Two-step *NOT* Two-factor by tgd · 2013-04-17 09:41 · Score: 2
  
  Two step and two factor are two terms used for the same thing. Virtually all two-factor authentication mechanisms work via two steps -- that includes hardware token, software token, biometric, etc ... In fact, its *extremely* rare for a two factor authentication to be single-step.
  The differences you're talking about are not even being pedantic, they're also irrelevant to the fact that its two factor/step.
4. Re:Two-step *NOT* Two-factor by DragonWriter · 2013-04-17 09:55 · Score: 1
  
  According to the article the message is sent to your phone via Text Message, NOT email.
  
  Both TFA [1] and, more importantly and more explicitly, the actual Microsoft announcement [2] linked in TFA on which TFA is based note that users have the option of using either a secondary email address (to which email is sent) instead of a mobile phone number (to which SMS is sent) for the "second step".
  [1]: "Microsoft is using additional verification methods such as a short code sent to the user's mobile phone, which is then entered in addition to the password, or by asking the user to supply additional information, such as an alternative email address."
  [2]: "This release enables optional two-step verification for your entire Microsoft account. Two-step verification is when we ask you for two pieces of information anytime you access your account — for example, your password plus a code sent to a phone or email on file as security info."
  
  This means you have to physically have access to the phone to receive the message.
  If SMS was the only second-step option (or even, the only option other than the dedicated authenticator app), and if SMS was a secure channel such that being able to capture the SMS required having physical access to the phone, this would be correct. Neither of these, however, is true.
  If Microsoft at least disclosed to consumers that some of the options they provide were weaker-security options, this probably wouldn't be a big deal; as it is, Microsoft is adding something that seems attractive based on what people no doubt here about "two-factor authentication", with a deliberately similar name ("two-step authentication"), which includes multiple alternatives designed to make it more convenient, without disclosing that those alternatives undermine the security benefit of two-factor authentication.
5. Re:Two-step *NOT* Two-factor by DragonWriter · 2013-04-17 10:01 · Score: 2
  
  Virtually all two-factor authentication mechanisms work via two steps
  
  Sure, two-factor necessarily is two-step (since providing each factor is a step), but not all things that use two steps are also two-factor (just as all humans are mammals, but not all mammals are humans.) And, while if you choose the authenticator option (and, with some substantial caveats, arguably also the SMS option), the Microsoft two-step process can be a two-factor system, it also includes one option (the email option) which is unmistakeably not a two-factor system (unless it happens to be for reasons unrelated to the Microsoft implementation, such as where your alternative email address is itself secured by two-factor authentication.)
  
  The differences you're talking about are not even being pedantic, they're also irrelevant to the fact that its two factor/step.
  The "something you know/something you know" email option is clearly "two-step", but its not at all "two-factor", which is probably why Microsoft doesn't call their system "two-factor authentication", just the accurate and similar-enough-to-benefit-from-confusion "two-step authentication".
6. Re:Two-step *NOT* Two-factor by BradleyUffner · 2013-04-17 11:04 · Score: 1
  
  Just because the user doesn't opt to use the true 2 factor for authentication doesn't mean Microsoft doesn't allow it.
  In the past 2 factor authentication was not available, after this change it is. I'm not trying to address end user usability, just the fact the the post I originally responded to tried to claim that this solution doesn't really offer 2 factor authentication when it clearly does.
7. Re:Two-step *NOT* Two-factor by DragonWriter · 2013-04-17 14:36 · Score: 1
  
  Just because the user doesn't opt to use the true 2 factor for authentication doesn't mean Microsoft doesn't allow it.
  Sure, but the fact that Microsoft calls it something confusingly similar and enables modes of operation for its "two step" system that aren't 2 factor auth, and doesn't do anything to draw attention to the security differences between the options that are two-factor auth and those that aren't, means that lots of people are going to be misled into bad choices.
  Its good for those who already understand what two-factor auth requires and what the security benefits are, and it actively misleads everyone else by making them think that they are getting the same security benefits.
8. Re:Two-step *NOT* Two-factor by thoromyr · 2013-04-18 02:54 · Score: 1
  
  its fairly similar to Apple's new option which isn't two factor (and apple doesn't call it that), but is widely *reported* as being "two factor". In the case of Apple, you can secure your account against normal password recovery attacks (e.g., a social engineering call to Apple support with a bit of personal information gleaned from facebook). And while that may have some utility for some people it is definitely /not/ two factor authentication.
9. Re:Two-step *NOT* Two-factor by thoromyr · 2013-04-18 03:05 · Score: 1
  
  two factor authentication requires two factors to authenticate. From the MS piece this reads like Apple's recent enhancement and it is *not* adding two factor authentication to your MS (or Apple) account. Rather it revises the account recovery process to, in principle, better protect an account from being "stolen" via social engineering. Great, that has some utility. But two factor authentication it is not.
  To be clear: two factor authentication for the account would be if two separate factors were required to authenticate. In the case of an Apple account that would mean to authenticate for email would require presenting two separate factors (e.g., something I know, something I have). But with both Apple and Microsoft this is not the case: authentication is still only password "protected". Only some limited areas are covered by two-factor (or something dressed up to look like it). So if you re-use your password and one place you use it at is compromised this does absolutely nothing to prevent a bad guy from running amok through your account and personal life. (Particularly given the general propensity for logins to take the form of email/password.)
  The reality is that passwords as protection have been dead for at least a decade, but very few are cognizant of it. Instead, there is talk about "strong" passwords, or "passphrase" or whatever is intended to shore up a model that is dead and broken lying by the side of the road, but still used because it is familiar and convenient.
10. Re:Two-step *NOT* Two-factor by BradleyUffner · 2013-04-18 07:03 · Score: 1
  
  Once again, it DOES use 2 factors. Your password, which should only be in your head, and and physical access to the the phone to receive the text message containing an access code. I don't understand why this is so hard for people to grasp.
11. Re: Two-step *NOT* Two-factor by BradleyUffner · 2013-04-19 06:14 · Score: 1
  
  If you store your password on your phone then you aren't using this correctly. You say your use RSA tokens, and you consider that 2-factor. If some user choose to write their user name and password on the back of the RSA token then THAT USER is using it incorrectly, NOT you. The same situation applies here for microsoft, if you choose to store your password on the same token generating device then you broke it, not microsoft.
12. Re: Two-step *NOT* Two-factor by UnknowingFool · 2013-04-19 09:30 · Score: 1
  
  The system that MS describes requires you to know two static pieces of information. Yes the second piece was sent to your phone via an unsecured connection. It doesn't require that you actually have the phone. RSA tokens require you to have the token for two minutes or so. After that any information you have copied is useless.
  
  If some user choose to write their user name and password on the back of the RSA token then THAT USER is using it incorrectly, NOT you. The same situation applies here for microsoft, if you choose to store your password on the same token generating device then you broke it, not microsoft.
  A user choosing to be callous with the secret information that they know is a red herring. It doesn't change the fact they they were required to know it. Just like some two-factor systems require a fingerprint scan. Well a severed finger can fool a system but that doesn't mitigate that the finger was required. The problem is not whether a stupid user can break the system; they can. The fact is that what MS describes is not truly two-factor by definition.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
13. Re: Two-step *NOT* Two-factor by BradleyUffner · 2013-04-19 09:50 · Score: 1
  
  I do not understand how you can say this is not 2-factor authentication when used properly.
  I have a microsoft account. The password for this account is only in my head, it is not stored on my phone anywhere. I don't use the account for email so it isn't stored for later. If I want to log in to MSDN from my desktop under this new system I need to use my password from my head, and I need to have access to the phone to receive the code sent to it via SMS. If someone swipes my phone they can not get in to my account because the password is not stored on it. If someone finds my password they can't get in without my phone. That sure sounds like 2 factor authentication to me.
14. Re: Two-step *NOT* Two-factor by UnknowingFool · 2013-04-19 10:19 · Score: 1
  
  I have a microsoft account. The password for this account is only in my head, it is not stored on my phone anywhere. I don't use the account for email so it isn't stored for later. If I want to log in to MSDN from my desktop under this new system I need to use my password from my head, and I need to have access to the phone to receive the code sent to it via SMS. If someone swipes my phone they can not get in to my account because the password is not stored on it. If someone finds my password they can't get in without my phone. That sure sounds like 2 factor authentication to me.
  By definition: Two factor means two different ways to authenticate not two different pieces of information. A username and password is not two factor. Adding a secondary code that you are required to know is still not two factor. For most systems what you know and what you have are the most common. A key fob, RSA token is commonly a second factor. A third factor is who you are (like DNA/eye scans). What MS describes is a second code. It is still not two factor. Now they deliver the code via an unencrypted means to your phone number. This however can be intercepted. It is also static. Once someone has the code, they can get in. If a RSA code is required (unless you've broken into RSA Inc, and stolen the crypto seeds which happened), you need to get the token.
  Some POS terminals for restaurants employ two factor: Employee's swipe card and their password. If another employee looks over their shoulder while they punch in their code, it requires the other employee to steal their card to work or replicate a new card. Is this possible? Yes. What you are confusing is the ease of someone to get the two factors with whether or not it is two factor.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
15. Re: Two-step *NOT* Two-factor by BradleyUffner · 2013-04-19 12:06 · Score: 1
  
  You may have a point about the SMS code being intercepted, but It doesn't make sense at all that it's static. My understanding is that once you log in with your password you will be prompted along the lines of "We will now send a [random] code to your phone, please enter that code to continue." Other than the unlikely ability for this code to get intercepted it is the same as the pseudo random code displayed on an RSA device. It would only give access for that once use and would in all likelihood be time limited. The next time you want to log in a new code is generated on Microsoft's end and sent to your phone for that one instance.
16. Re: Two-step *NOT* Two-factor by UnknowingFool · 2013-04-19 14:34 · Score: 1
  
  Unless they send it to your phone each and every time you attempt login, it is still two step. If they don't, it is a static code at some point. I doubt that MS would do this every time. The fees would be outrageous. Maybe once in a while if you need to reset your password or forgot your password. I login to my computer a dozen times a day. Using the RSA token each time is already a hassle.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
I have a land line, you insensitive clod by tepples · 2013-04-17 09:27 · Score: 0

"The chief form of secondary authentication will be a short code sent to the user's mobile phone"
Some people don't have $400 per person per year for their own mobile phone. Instead, they share a house phone. Since when can land lines receive text messages?
1. Re:I have a land line, you insensitive clod by cstream_chris · 2013-04-17 09:34 · Score: 1
  
  I just set it up. You can also receive the code via a phone call.
2. Re:I have a land line, you insensitive clod by ericloewe · 2013-04-17 10:18 · Score: 1
  
  30 buck Nokia with pre-paid SIM? Where do you live that you can't afford a basic cell phone?
  Besides, you can generate the required codes:
  http://en.wikipedia.org/wiki/Google_Authenticator - available for nearly every modern computing device.
3. Re:I have a land line, you insensitive clod by node+3 · 2013-04-17 13:18 · Score: 2
  
  "The chief form of secondary authentication will be a short code sent to the user's mobile phone"
  Some people don't have $400 per person per year for their own mobile phone. Instead, they share a house phone. Since when can land lines receive text messages?
  So? If you don't have something, you can't use it. This is simple. You constantly seem to think that because something costs money, it's useless because there exists somewhere a person who can't afford it.
  How does that make any sense? What product in the world lives up to that criticism?
  Why constantly feel the need to knock things down that add value to the world? If you don't have a cell phone, you can't use this, but that it exists means that the billions of people that do have a cell phone can. The cell-less lose nothing, and those with cells gain. What is wrong with that?
  Such negativity, how horribly unnecessary and pointless!
Excuses to get phone numbers by WaffleMonster · 2013-04-17 09:34 · Score: 5, Interesting

If MS really cared that much about security they would offer the use of client certificates. Much more secure than SMS.
Judging by what passes for acceptable practice today my guess this is all likely all effectivly a moot point as convenience password recovery measures effectivly curtail actual security gains.
1. Re:Excuses to get phone numbers by Anonymous Coward · 2013-04-17 09:46 · Score: 0
  
  client certificates are a retarded system for users, they only result in a user not using anything. That is like giving someone a 10 pound sledge hammer to push in a thumbtack.
2. Re:Excuses to get phone numbers by WaffleMonster · 2013-04-17 10:58 · Score: 1
  
  client certificates are a retarded system for users, they only result in a user not using anything. That is like giving someone a 10 pound sledge hammer to push in a thumbtack.
  Why? Import a pk12 file into a browser takes seconds. What is the big deal?
3. Re:Excuses to get phone numbers by swillden · 2013-04-17 11:57 · Score: 1
  
  client certificates are a retarded system for users, they only result in a user not using anything. That is like giving someone a 10 pound sledge hammer to push in a thumbtack.
  Why? Import a pk12 file into a browser takes seconds. What is the big deal?
  And when you use a different browser, say while at a friend's house?
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
4. Re:Excuses to get phone numbers by sfm · 2013-04-17 14:00 · Score: 1
  
  What if "security" is not the main goal of the change? Knowing your phone number goes a long way to identifying who you really are. It is unlikely that you have an alias associated with your cellphone account.
5. Re:Excuses to get phone numbers by WaffleMonster · 2013-04-17 14:40 · Score: 1
  
  And when you use a different browser, say while at a friend's house?
  There are corner cases for all solutions including passwords. Security is fundementally a tradeoff.
  Last time I used someone elses computer to login to anything was 10 years ago. I would argue using a "friends" or otherwise untrusted guest computer is insecure and unwise.
  Client certs are one of the few viable options to provide cryptographic binding of identity to session encryption.
6. Re:Excuses to get phone numbers by tlhIngan · 2013-04-17 16:59 · Score: 1
  
  Last time I used someone elses computer to login to anything was 10 years ago. I would argue using a "friends" or otherwise untrusted guest computer is insecure and unwise.
  And greatly degrades the usability of things like webmail (what's the point if you can only check it from one place?). Or consider it's also tied to Xbox Live, you MIGHT want to access your account for a cloud saved game, or play a game you bought that your friend doesn't.
  There's probably other services as well - like MSDN/TechNet that are also tied to your Microsoft account.
7. Re:Excuses to get phone numbers by Anonymous Coward · 2013-04-17 22:50 · Score: 0
  
  Why? Import a pk12 file into a browser takes seconds. What is the big deal?
  You mean export? Only you are allowed to have your private key file, so the browser needs to generate it (unless you are going to install openssl and do it manually). You then export your public key file, and send that to Microsoft.
  Or do you suggest some kind of broken model where Microsoft generates the key that only you are allowed to ever have a copy of, and sends it to you through some insecure communication medium like the internet or phone network?
8. Re:Excuses to get phone numbers by swillden · 2013-04-18 02:08 · Score: 1
  
  Last time I used someone elses computer to login to anything was 10 years ago. I would argue using a "friends" or otherwise untrusted guest computer is insecure and unwise.
  I posit that the majority of webmail users have used someone else's machine to check their e-mail within the last year. I know I have. In addition, for me, there's the fact that I have too many machines, and change machines too often. Right now, for example, I authenticate to Google regularly from a MacBook Air, two Ubuntu desktop machines, two Chromebooks, two tablets and a phone. Having to manually propagate a .p12 file to all of these would be enough of a pain that it might deter me using stronger authentication at all. Heck right now I have a new Chromebook that I've had for a week and still haven't gone through the process of installing a certificate needed to allow it on the corporate network. It's a simple process, but it's enough of an obstacle that it deters me.
  Also, using certificate-based authentication is that it makes the "something you have" your computer, rather than a separate device. There are threat models in which that's a better solution than having your phone be the second factor device, but there are also models in which it's much worse. I think for most users the phone is a much better tradeoff, better fitting their usage patterns and threat models.
  It's certainly the case for me. An OTP generator on my smartphone is a manageable inconvenience and adds considerable security. It's a good tradeoff. I've done client cert-based authentication in the past -- and indeed I use it now extensively on production systems that I build -- but it's a poorer solution for my needs and usage patterns. I'm a big fan of crypto security (it's my day job), but it's not always the best solution.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
9. Re:Excuses to get phone numbers by WaffleMonster · 2013-04-18 04:50 · Score: 1
  
  I posit that the majority of webmail users have used someone else's machine to check their e-mail within the last year. I know I have. In
  If you don't care about security then why would you bother enabling two-factor authentication in the first place at all?
  I am not advocating this as the only solution suitable for everyones needs. My only observation is the option should be made available for people who care about security.
  
  addition, for me, there's the fact that I have too many machines, and change machines too often. Right now, for example, I authenticate to Google regularly from a MacBook Air, two Ubuntu desktop machines, two Chromebooks, two tablets and a phone. Having to manually propagate a .p12 file to all of these would be enough of a pain that it might deter me using stronger authentication at all. Heck right now I have a new Chromebook that I've had for a week and still haven't gone through the process of installing a certificate needed to allow it on the corporate network. It's a simple process, but it's enough of an obstacle that it deters me.
  Clicking on a file is not a big deal no matter how many computers you have.
  If you don't want to exert the effort that is your perogative. Nobody is forcing you or saying you you must only use client certs. Certainly not my words or my intent.
  I can sit here and rail against the (in)convienence of any security measure. They are all tradeoffs and they all suck to someone.
10. Re:Excuses to get phone numbers by WaffleMonster · 2013-04-18 04:59 · Score: 1
  
  Also, using certificate-based authentication is that it makes the "something you have" your computer, rather than a separate device. There are threat models in which that's a better solution than having your phone be the second factor device, but there are also models in which it's much worse.
  This is a dangerous illusion we've seen explioted ad nauseum (e.g. token cards) If you don't trust your computer then using it anyway is completely nonsensical.
11. Re:Excuses to get phone numbers by WaffleMonster · 2013-04-18 05:14 · Score: 1
  
  You mean export? Only you are allowed to have your private key file, so the browser needs to generate it (unless you are going to install openssl and do it manually). You then export your public key file, and send that to Microsoft.
  Or do you suggest some kind of broken model where Microsoft generates the key that only you are allowed to ever have a copy of, and sends it to you through some insecure communication medium like the internet or phone network?
  Both options are completely acceptable to me. At some point you would have had to create an account using some pre-existing trust relationship. This is typically done online using an SSL session with trusted roots stored in a browser. At this point when you are sending your passwords and all associated data to the remote server if the server wants to send you back neat file with public/private key pairs I have no problem with that.
  The only reason for having the client cert is to provide strong identity to the server so if the server provides all the keys to do this in a neatly packaged easy to install bundle who cares? I would hope alternate options are available to allow users to submit a signing request if they wanted to protect against compromise of setup of initial trust relationship...practically if that occured it is game over regardless.
12. Re:Excuses to get phone numbers by swillden · 2013-04-18 05:38 · Score: 1
  
  Also, using certificate-based authentication is that it makes the "something you have" your computer, rather than a separate device. There are threat models in which that's a better solution than having your phone be the second factor device, but there are also models in which it's much worse.
  This is a dangerous illusion we've seen explioted ad nauseum (e.g. token cards) If you don't trust your computer then using it anyway is completely nonsensical.
  Trust isn't boolean. There are many different ways some portions of your computer might be compromised in a time-limited way.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
"Senate Torpedoes Background Check Deal" by Anonymous Coward · 2013-04-17 09:38 · Score: -1

http://www.rollcall.com/news/senate_torpedoes_background_check_deal-224103-1.html?zkPrintable=true
"Senate Torpedoes Background Check Deal"
Oh yea, make that Democratic Senate.
Just want to gloat at you douchebags. Gloat! Gloat! Gloat! Gloat!
Only kinda-sorta new ... by tgd · 2013-04-17 09:38 · Score: 2

Microsoft Accounts have supported two factor authentication for "sensitive" actions for quite a while -- adding trusted PCs, changing billing methods, resetting passwords, etc ...
Two things new with this:
- The ability to set the account to require it at login for normal authentications
- The ability to use 3rd party token applications (like Google Authenticator) for the tokens, instead of SMS.
Good two factor has been free for ages.. by Anonymous Coward · 2013-04-17 09:58 · Score: 0

Two-Factor has been free for ages. You can get an NPS module that does text message, google auth, and loads of stuff at www.wrightccs.com and have been able for a long time.
Yay! by Anonymous Coward · 2013-04-17 10:04 · Score: 0

I desperately want Microsoft to have my phone number. They would never sell that.
Is this some sort of scam to get marketing data because Bing sucks?
So? They do this regularly! by s.petry · 2013-04-17 10:16 · Score: 0

Microsoft is constantly hopping on bandwagons. It gets them free advertising. They don't care that a good chunk of the population points out that they do things poorly, mislabel things, intentionally name things wrong, break standards, break other products, etc... They care that you are talking about them.
Every other week we read about MS hyping some other bullshit they think they invented. Most laugh at them, a few fanbois run out and buy what ever they are hawking, but most importantly we all see their name enough where it's impossible to ignore it.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
All these authentication measures want my cell by WillAffleckUW · 2013-04-17 10:35 · Score: 1

All of these authentication measures seem to want my cell phone.
I don't have onr, and you can phone me when Hades freezes over.

--
-- Tigger warning: This post may contain tiggers! --
1. Re:All these authentication measures want my cell by lpq · 2013-04-18 04:58 · Score: 1
  
  Ditto on the above. It's bothersome enough that they have the presumption that I have one BUT worse, once they have it, they can add automatic tracking of my location to their database if I have location services enabled on the phone. AFAIK, that's open all the time the phone is on -- unlike, 'theoretically', the emergency location transponder that is enabled when you use emergency services.
  Isn't such such tracking considered a feature for those using the phone to take location-labeled pictures?
Four factors: Old, New, Borrowed, and Blue. by girlinatrainingbra · 2013-04-17 19:30 · Score: 1

Wait, wait, I thought that the four factors were: 1 -- something old,
2 -- something new,
3 -- something borrowed,
4 -- something blue,
Wait, isn't that what we were talking about?
Mega Man, Metroid, and New Play Control by tepples · 2013-04-18 02:03 · Score: 1

True, the 8- and 16-bit titles in the Mega Man and Metroid series are probably better played with a gamepad than with a pointing device. But pointing device advocates would claim that the play style of these older games is a relic of the past, and series need to evolve to keep up with changing play styles implied by higher-resolution input devices. For example, a pointing device would have helped third-person shooters like Mega Man Legends and first-person shooters like Metroid Prime series. In fact, Nintendo made Metroid Prime 3 for its Wii Remote pointing device and remade several games for the Wii Remote for its "New Play Control" line, including a 3-pack of the Metroid Prime series. You can help keep your argument relevant by explaining how controller-friendly play styles aren't a relic.
1. Re:Mega Man, Metroid, and New Play Control by ArcadeMan · 2013-04-18 06:05 · Score: 1
  
  1. Mega Man Legends was one of the worst games I've ever played.
  2. Anyone who considers 2-D games "relic" isn't worth arguing with.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
Games that are on 360 but not on PC by tepples · 2013-04-18 02:04 · Score: 1

I don't think very many genres benefit from having controller support
In light of someone's recent post about what he perceives to be the reality of the video game market, I've been doing a bit of research into what makes a game better with a controller than with a pointing device. Any game where the player controls one character on the screen that moves and jumps would benefit from a gamepad. Platformers and fighting games are the big ones, and I'm not sure how well the Zelda games for DS worked with pointing-device-only control.

if the game supports a controller on the xbox/ps3 then it probably does on the PC as well.
Mortal Kombat (2011) doesn't support a controller on the PC because it isn't made for PC. If a game is on Xbox 360 but the publisher has declined to port it to the PC, you need a Microsoft account and an Xbox Live Gold subscription to play online.
Mandatory 2-factor authentication by tepples · 2013-04-18 02:07 · Score: 1

If you don't have a cell phone, you can't use this
As of right now, "this" means the 2-factor authentication for a Microsoft account. Perhaps my paranoia comes from a fear that Microsoft might make 2-factor authentication mandatory.
1. Re:Mandatory 2-factor authentication by node+3 · 2013-04-18 17:39 · Score: 1
  
  If you don't have a cell phone, you can't use this
  As of right now, "this" means the 2-factor authentication for a Microsoft account. Perhaps my paranoia comes from a fear that Microsoft might make 2-factor authentication mandatory.
  But they haven't. Quit hanging people for things they *can* do, but *haven't* done.
  Why live in fear of the infinite possible bad things that can happen? Very few of them ever actually come to pass. You're letting things that don't exist, and never will exist, limit your life. And what's worse, you constantly advocate against others using those things as well, asking them to make their lives worse too.
  For what? The non-existent? How dreadful!
Balance expiry; cost to receive texts by tepples · 2013-04-18 02:10 · Score: 1

pre-paid SIM
Each U.S. carrier that I've looked at will expire the balance on a prepaid mobile phone account if the user doesn't top up regularly. And in the United States, the receiver pays 20 cents to receive a text message unless the receiver is on a monthly unlimited texting plan. Having to pay the carrier a dollar every five times I log in to anything that uses a Microsoft account could add up quickly.
Help me build the counterargument by tepples · 2013-04-18 06:38 · Score: 1

Anyone who considers 2-D games "relic"
It's not that games with 2D graphics are "relics". It's that gamepads are allegedly "relics". The most popular mobile gaming platforms today are iOS and Android, and those ship with a capacitive multitouch screen. A lot of popular touch-oriented games, such as Angry Birds series, use 2D graphics. So do plenty of mouse-driven Flash games on Newgrounds. Other than 2D platformers and fighting games, whose popularity compared to other genres has waned, what genres really need a gamepad?

isn't worth arguing with.
Yet pointing device advocates keep arguing for pointing devices, and they occasionally get moderated up. So it's best to have a counterargument ready instead of just an ad hominem.
Bullshit. by UltraZelda64 · 2013-04-18 17:32 · Score: 1

It's a trade-off between either the extra security of two-factor authentication, or the convenience of linking more than one account to be able to switch between them with ease. Why can't Microsoft follow Google's lead and give us the ability to both log in securely and stay logged in to multiple accounts at the same time? It's irritating enough to have to log out and then log back in with the other username/password, and the "stay logged in" check box is fucking useless when you have to log out every god damn day anyway to check something on your other account.